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AN ASYMMETRIC SYSTEM AND METHOD FOR TAMPER-PROOF 
STORAGE OF AN AUDIT TRAIL FOR A DATABASE _ 

Cross Reference 

The application is a Continuation-in-Part application of the U.S. Patent 
Application Serial No. 09/634,445, which was filed on August 8, 2000, entitled 
"Method and System for Providing a Tamper-Proof Storage in an Audit Trail in a 
5 Database/' 

Background of the Invention 

The present invention relates generally to computer software, and more 
particularly, to a system and method for storing data in a tamper proof storage. 

10 In today's computer network environment, large volumes of data are 

customarily stored and used by various software applications. Data 
management has become an essential task for many data intensive industries. A 
smooth business operation depends both on the efficiency and security of the use 
of the stored data. From the perspective of data management, a database 

1 5 administrator (DBA) is powerful in that he usually has full access to the entire 
database and all contents stored therein. He can read, write and modify any data 
stored in the database. In a normal situation, the DBA is endowed with the 
highest level of trust because of his enormous responsibility. In certain cases, it is 
desirable to store data in a database in a secure way such that even a privileged 
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user like the DBA should not be able to modify records without detection. For 
example, it is very important to protect a monotonically increased audit trail 
which records actions taken by a user along with his identity against 
modifications. No one should be able to modify this trail, thus an independent 
auditor can trace any user's, even the DB A's, actions relating to the database, 
whereby the integrity and the security of the database are greatly enhanced. 

The normal practice consists of reading audit trail data in a database 
directly through SQL, JDBC or any such standard client program. Several 
conventional methods are used for protecting the integrity of the audit trail in a 
database system. For example, the entire audit trail can be encrypted. Although 
this encryption prevents access to the trail by the DBA, it does not prevent him 
from deleting certain records without being detected. Also it hinders the normal 
practice of reading the trail by users of the database. 

As an alternative solution, the audit trail can be validated by a signing 
process. The signing process corresponds to a digital signature operation which 
is well known in the industry. This signing process for generating a signature 
involves taking a message of any length, forming an "imprint" of the message to 
a fixed length by hashing, and mathematically transforming the hash using 
cryptographic techniques. While the signature can be generated only by the 
signer, any other user can verify the generated signature. If a trail for which the 
signature is attached has been tampered with, the verifier cannot successfully 
validate the digital signature. The signing process is directed to the entire trail, 
not a specific record in it. Under a typical scenario, after all the existing records 
have been collated, a signature is then generated for the entire trail, and the 
resulting signature is put in a secure place. Therefore, every time a new record is 
added to the database, the audit trail is signed again. This method has a heavy 
processing and computational overhead as the entire audit trail needs to be 
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accessed and signed every time a record is added. 

In another alternative solution, the records can be validated by requiring a 
signature of each record. This method validates the individual records but still 
fails to prevent the DBA from deleting records without detection. 

The process of auditing a database audit trail is expected to conform to 
"four eyes principle/' This means that there can be two or more auditors who 
separately and independently track a database audit trail. The audit trail starts 
with the joint participation of all the auditors. The auditors are supposed to 
maintain a " non-trusting" attitude towards each other and strictly track the audit 
trail for database integrity. All solutions to tamper-proof storage discussed in 
the above paragraphs are presented in the single auditor framework and hence 
cannot be applicable to auditing process that requires "four eyes principle." 

What is needed is an efficient method and system for supporting a secure 
database system so that any modifications of the audit trail in a database system 
by any user, including the privileged user like the DBA, would be detectable. 
The proposed method and system should also support "four eyes principle" for 
auditing. 

Summary of the Invention 

A method and system is provided for a tamper-proof storage of an audit 
trail in a database having one or more records. Since the integrity of the audit 
trail may be vulnerable to actions taken by an access-privileged user such as a 
database administrator, a mechanism is provided for authorized persons such as 
one or more auditors to efficiently detect any changes made by the user to the 
records in the audit trail. 

In one example of the present invention, an audit trail has one or more 
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records, each record having a corresponding authentication token and a 
validation token. If there are two or more auditors, then the trail record will 
have separate validation tokens for each of the auditors. The database has a 
writing machine (writer) which is not under the control of the access-privileged 
5 users or the auditors. 

The audit trail is initiated by generating an initial value of the 
authentication token and an initial value of the validation token based on a first 
encryption key generated by the writer (writer public key) and a second 
encryption key generated by the auditor (auditor public key). In a case of two or 
10 more auditors, separate validation tokens are generated for each auditor based 
yfi on his public key. Complimentary to the writer public key and the auditor 

^ public key, a third encryption key (writer private key) related to the first 

^ encryption key and a fourth encryption key (auditor private key) related to the 

M second encryption key are also created. While integrating the values of the 

r 1 5 validation token(s) and the writer public key into each corresponding record of 
P the audit trail, the values of the authentication token, and the writer public key 

!Z are constantly updated for the next record. The writer has an access to the 

O auditor public key, and the auditor has an access to the writer public key. 

O 

However, only the writer has an access to the writer private key, and only the 
20 auditor has an access to the auditor private key. Each auditor has the ability to 
compute the values of the validation token for the records to verify against the 
integrated values of the validation token in order to detect a tampering of the 
audit trail by any access-privileged user. 

Various benefits are achieved over conventional approaches. For instance, 
25 the security of the entire trail in a database is strengthened, while normal 

database queries are not hindered. Further, any actions taken against the records 
in the trail can be detected without involving a computationally expensive 
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process. Additionally the auditing process satisfies the requirements of a "four 
eyes principle." 



Li 



10 



Brief Description of the Drawings 

Fig. 1 illustrates a simplified graphical representation of a tamper proof 
database system. 

Fig. 2 illustrates a computer system for implementing the present 
invention. 



Description of the Preferred Embodiment 

While it is not an objective of the present invention to prevent the 
database administrator (DBA) from accessing the database under his control or 
hinder his daily work in any way, the present invention intends to provide a 

15 security system for improving the reliability of the audit trail in a database by 
assuring that any modification or deletion of the records in the trail can be 
detected by an independent auditor. 

Referring now to Fig. 1, a simplified tamper proof database system (DB) 
10 is shown. The DB 10 contains a main database operations manager (DBOM) 

20 12 and database storage 14. The Secure Store (SS) 22 stores secured information 
and performs access control based on a user's identity. The SS 22 is essentially a 
database containing information about network users, network devices, and 
other resources of a network. It helps to manage users, the network resources, 
and information on the network by providing an administrator/ operation 

25 manager which has a precise view of network resources and services at any 

instant of the network operation. In some examples of the present invention, the 
SS 22 can be a software module, a hardware component, or a combination of 

-5- 
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both software and hardware components. The SS 22 is also a secured 
information storage for storing sensitive information in a confidential form. The 
SS 22 stores information for all entities in a computer network environment, the 
entities being users, computer hardware devices, or software modules, etc. 
5 Every entity is entitled to an exclusive access to a partitioned area in the SS 22. 
For example, an auditor 20 is only given access to his related part of the SS 22 if 
he is authenticated by password or through other authentication methods. The 
SS 22 then provides information, applications, and communications accesses to 
the user after a successful authentication process. Connected to or contained in 

10 the DBOM 12 is a software engine or server that writes data to the database 
storage 14 or the SS 22. It is heretofore referred to as a writing machine or a 
writer 16. The writer 16 is decoupled from the DB 10 and is not under the control 
of the DBA. The entire DB 10 interacts with users such as a user 18 and the 
auditor 20 based on predetermined access conditions. A typical database system 

1 5 such as one provided by Oracle Corporation can be used as the DB 10 in the 
present invention. In some cases, the SS 22 can be a Novell Directory Services 
system (NDS) or the Secret Store System in NDS. The writer 16 can be a network 
loadable module (NLM) running on a software platform such as Novell's 
NetWare. The network loadable modules are program modules that perform 

20 specific tasks. For example, specific program modules can be written to 
implement the functionality of a writer. 

In order to implement various examples of the present invention, one 
common process involved is an encryption process. This process is to encrypt a 
plain readable message through mathematical transformation so that it is no 

25 longer readily decipherable. The transformed message after the encryption 
process is usually referred to as a ciphered message. The receiver performs 
reverse transformation on the ciphered message to obtain the original plain 
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message. The forward and reverse transformation encryption transformations 
require a shared secret key. The sharing of a secret key is facilitated using a 
public private key pair. The sender encrypts the shared secret key using the 
receiver's public key and sends the ciphered message to the receiver. The 
receiver decrypts the shared secret key using his private key. Only the intended 
receiver can decrypt properly and get the shared secret key, as he is the only one 
with the knowledge of his private key. Since the sender and the receiver use 
different keys for encryption and decryption of the same data, this scheme is also 
called as an asymmetric key scheme. 

The writer and the auditor can use a public key cryptographic technique, 
for example, Diff ie-Hellman key exchange technique, to arrive at a shared key 
which can then be used to compute authentication and validation tokens. In a 
Diffie-Hellman (D-H) scheme, each of the participants generates a private and 
public key pair. Only the public key of the public-private key pair is made 
public. Though the private and public key are mathematically related, obtaining 
the private key from the knowledge of the corresponding public key is 
computationally infeasible. This problem is well known as the discrete logarithm 
problem. By choosing the length of the key pair appropriately, efforts to break 
the discrete logarithm problem can be made as high as desired. The participants 
involved in a D-H scheme exchange their public keys. Then they perform 
exponentiation of the obtained public key which could be used further for 
encryption purposes. In order to facilitate proper mathematical operations, an 
appropriate (large enough so that discrete log problem is infeasible) prime 
number field is chosen. The modulus of the number field is denoted by P and 
the operations supported are modular additional and modular multiplication. 
The number field has P-l nonzero elements and a is denoted as the generating 
base which generates all the nonzero elements of the number field as 1, a a (mod 
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P), a 2 (mod P, . ..,a ? - 1 (mod P). If a private key is chosen as W, then the 
corresponding public key is ot w (mod P). For the sake of notational convenience, 
the public key is written as a w . All computations are assumed to be performed 
modulo P unless otherwise specified. 

Hence, the security of the shared secret key exchange algorithm is 
primarily measured by the design of the public and private keys, and most likely 
in the digit length of these keys. By increasing the key length, the difficulty level 
to break the encryption algorithm is increased, and the ciphered message is more 
secure in transmission. 

Another common process used by various examples of the present 
invention is called a hashing process (or a "hash" in short). A hash is a process of 
transforming a message of any length into an output message with a fixed 
length. The output message is called a digest. By definition, a hashing process 
maps a message of arbitrary length into a digest of a predetermined length. A 
secure hashing algorithm is designed so that it is computationally unfeasible to 
determine an input message from its corresponding output digests. Although 
there are a significant number of hashing algorithms known in the art, some 
well-known hashing algorithms are MD4, MD5, and Secure Hashing Algorithm 
(SHA). 

For the purpose of explaining examples of the present invention, some 
other technical terms are defined summarily below: 
Ai - ith Authentication token. 
Ri- ith Record. 

Di - String formed by concatenating fields of the ith Record or 
referred to as the data section of the ith Record. 
Vi - Auditor Validation token for the ith Record. 
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H(x) - A secure hash of the string x. 

Ek {x}- Encrypt x with key k. 

X+Y - Concatenation of strings X and Y. 

P - Prime Number for Exponentiation Operation. 

a - The generator of Prime Number Field. 

AUD - auditor private key 

a AUD (mod P) - Auditor Public Key. 

Wi - i-th writer private key 

a Wl i-th writer public key 

In one example of the present invention, an audit trail is carefully created 
and maintained. In essence, the audit trail is a database system log used for 
security purposes. The audit trail is normally used for keeping track of 
operations applied to the database system in general, along with user identities. 
Since a user is granted access to the database after an authentication process, the 
identity of the user is known to the database, the audit trail thus can record "who 
has done what" to the database. 

The audit trail also includes values of a validation token relying on which 
any tampering of the audit trail may be detected. In general, a validation token 
is a field in a record of the audit trail. When an original record is initially stored 
to create the audit trail, it is written along with an initial value of the validation 
token. As it will be discussed later in more detail, in one example of the present 
invention, a mathematical representation for an algorithm to generate the 
validation token can be represented by the following equations: 



wherein Ai is referred to as a value of an authentication token. Hence, the 
key to the encryption process for generating a validation token is its related 
authentication token. A series of authentication token values can be generated 



Vi =H(Vi_i + EAi {Di}), 
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by employing an encryption key exchange technique between the writer and an 
auditor. For instance, for the i 1 * 1 record (e.g., Ri), the writer generates a writer 
private key called Wi, computes and stores a writer public key ot Wi . The auditor 
also generates an auditor private key AUD and an auditor public key ct AUD . 
5 After the auditor sends the auditor public key to the writer and the writer 
performs an exponentiation with a AUD as the base and the writer private key Wi 
as the exponent. This operation is represented as 

Ti = (aAUD*WimodP-l) ( moc j p) 

where P is a prime number, (mod P) denotes modulo P operation and Ti is the 
_ 10 intermediate result. The writer then computes the corresponding authentication 
yQ token according to the following process formula: 

Jo At = H (Ti (mod P)) 

r: where H denotes a one-way hash function. Using this authentication token to 

H; processes the data Di in accordance with the method explained above, the 

s 15 validation token Vi is then generated. It is clear that the computation of i 4 * 1 

q validation token Vi by the writer requires, among others, the knowledge of 

J^J writer private key Wi and auditor public key a AUD . 

b: With the validation tokens created for the audit trail of the database, both 

Vi and Di are stored in the DB 10 as part of Ri. 
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Table 1 below shows different sections/ fields of the database according to 
one example of the present invention. 



Data Sector for 


Writer- 


Validation 


Validation 


the Record 


Public Key 


Token for 


Token for 




Auditor A 


Auditor B 


Do 


a wo 


Vo 


Uo 


Di 


a wi 


Vi 


Ui 










D n 


a Wn 


V n 


Un 



Table 1 



5 There are generally three major sections, the section labeled as Data Sector 

of the Record contains the actual database record field, the Writer Public Key 
section includes a writer public key computed by the writer for the 
corresponding records, and the Validation Token section shows the validation 
token values written by the writer and verifiable by the auditors such as Auditor 
10 AandB. 

To start an auditing process, an auditor trail needs to be initialized. 
According to one example the present invention, both the writer and the auditors 
are required to participate in the process. For starting the audit trail, the writer 
generates a first writer private key Wo and the corresponding writer public key 
15 a wo , and transmits ot wo to all the auditors. Each auditor also generates his 

private key AUDn and the corresponding public key a AUDn . The auditor sends 
his respective auditor public key to the writer and the other auditors. The 
auditors together generate a common initialization key, a INIT - AUD - COM and ID au d, 
the common name or identification for the audit trail. The common initialization 
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key can be computed either using Group Diffie-Hellman techniques or having 
each auditor send a pseudo random number (PRN) to other auditors using 
public key encryption and the common key is generated by combining the PRNs 
of all the auditors. Each auditor computes a temporary parameter X by 
5 concatenating an audit trail identity ID a ud, a writer public key ot wo , the common 
initialization key a INIT - AUD - COM and the auditor's public key a AUDn or 
mathematically: 

X= IDaud + a wo +a AUDn + a INrr - AUI>COM 
if there are more than one auditor, then all auditor public keys are appended in 
10 the above formula to appear as: 

X= IDaud + a wo + a INIT ' AUD - COM1 + a AUD1 + . . . +a AUDn . 

With the value X, the auditor with the public key a AUDi then forms Do by 
running a hash function over X (i.e., Do=Hash (X)). Thereafter, the initial value of 
the authentication token is created as Ao= H(a AUDi * W0 ). With the initial value of 
15 the authentication token Ao and Do, the initial value of the validation token can 
be generated as: 

Vo = H(A 0 + Eao{D 0 }). 

The first record Ro then stores cc wo and Vo as shown in Table 1. The 
auditor private key AUDi, the IDaud, a INIT - AUD - COM , and Do are further stored in 
20 the designated SS 22 for the auditor. For audit purposes, there are two 
designated fields added to the Database. One for storing the writer public key 
a Wi , and the other for holding the validation token value Vi. If there is another 
auditor, say B, the computational steps shown above are repeated with his audit 
public key. There will be one more field in the database to hold the validation 
25 token Ui for the auditor B. 

When writing more entries to the audit trail, the writer private keys and 
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validation token values are generated step by step in a "chaining" fashion. First, 
the values of cc Wi (mod P) and a AUDi * Wi (mod P) are calculated by raising a and 
a AUDi t 0 th e exponent Wi, so that the authentication token value for a record can 
be computed as: 

5 Ai = H(0tAUDi*Wi (mod P-l) ( mo d P )). 

With the authentication token Ai in hand, the validation token is 
computed as: 

Vi = H (Vi-i +E Ai {Di}) 

wherein Ai is the encryption key for i-th auditor. If there are "n" auditors, 
10 the encryption keys are respectively Ai, A2, ..A n . Finally, the writer private key 
is updated as: 

W i+ i = H(Wi + Ai + A 2 + ... + An). 

The authentication keys Ai's are immediately deleted after their usage in 
generating the new writer private key Wi+i. The computed a Wi and Vi are stored 
15 as part of the record Ri of the database. Wi+i is stored in the designated SS 22 for 
the writer to irreversibly replace the previous value Wi. For the writer private 
keys, only the writer has a full access (e.g., read and write rights). 

For a validation process, the verification of validation token requires the 
knowledge of both the auditor private key and the writer public key a Wi . The 
20 auditor private key and Do are extracted from the SS 22 of the auditor using his 
own access privileges. The audit trail is then validated from the first record 
downwards. For every record, both the authentication token and the validation 
token values are computed using the algorithm described above and the 
computed validation token is compared with the validation token stored in the 
25 audit trail. Any mismatch between them indicates a tampering of the trail. 

As the writer and the auditor use asymmetric key based computations to 
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perform, respectively, writing and validating operations, the audit trail thus 
implemented is referred to as an asymmetric audit trail. 

The audit trail thus created is tamper-proof. An attacker would have to 
solve discrete logarithm problem to know the writer private keys from the writer 
public keys. Further, the auditor's public key is stored in writer's SS, which is 
secure from unauthorized accesses. The validation token value computation 
requires the previous validation token as a parameter and hence a chaining effect 
in terms of generating the validation token values (or a "hash chaining effect") is 
ensured. 

As it is known, an audit trail can usually be tampered with in five 
different ways: 



1. deletion of the whole audit trail; 

2. deletion of N records in the middle of the audit trail; 

3. deletion of N records from the end of the audit trail; 

4. addition of invalid records to the audit trail; or 

5. modification of one or more records in the audit trail. 



The present invention can successfully and efficiently deal with all the 
above-listed possible ways of tampering. For example, since the data for the first 
record is stored in the Secure Store, and the DBA doesn't have access to it, 
therefore he can not replace the whole audit trail with an invalid one without 
being detected. 

Assuming for the purpose of illustration that the DBA deletes N records 
Ri+i to Ri+N, thus the last validatable record is record Ri. The next record should 
have authentication token and validation token calculated as follows according 
to one example of the present invention: 



However, the next validation token found in the SS 22 is not Vi+i, but Vi+n+i 



Validation Token = V i+ i = H (Vi + EamPm}}) 
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originally for record Ri+n+i, where 

V = H (Vi + N-1 + EAi + N-l{D i+N -l}) 

Assuming the cryptography technology used in the encryption process is strong 
enough, (e.g., if a hash function having good security property is chosen, the 
5 probability of V being the same as Vi+i is negligible), Vi+n+i should be different 
from Vi+i and a mismatch should almost always be detected. 

Assuming that the DBA deletes N records from the end of the trail (e.g., 
from Ri-N to Ri wherein Ri being the last record listed in the audit trail). This 
action, whether authorized or not, can be detected. The validation token 
10 generated at the end of the trail is now: 

Vi-N = H(Vi-N-l + EAi-N-l{Di-N-l}). 

However the token in the SS 22 is 

Vi = H(Vi.i + EAi{Di}) 
It is highly probable that these two validation tokens will differ which indicates 
15 that a modification of the trail has happened. 

Moreover, it is desirable to detect any addition of the records to the audit 
trail by the DBA. For example, since the validation token for a record Ri is 
generated in one example of the present invention by the following mechanism: 

Vi = H(Vi-i + EAi{Di}) 

20 and as the DBA doesn't have access to Aihe cannot generate a valid validation 
token for the new record added by him. Any additions can be detected 
immediately. 

Similarly, for modification of the record listed in the trail, since the DBA 
doesn't have access to any authentication token, he cannot generate a valid 
25 validation token for a record modified by him. Consequently, any modification 
can also be detected. 
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In the above-described examples of the present invention, it is assumed 
that the writer is a secure writing machine which has a secure storage not 
accessible by any user other than the auditor who may have a reading access. At 
a very minimum, even when an event happens that breaks the security, it is 
5 guaranteed that all records written before the event will be protected from 
tampering. This is because the writer private key for earlier records are not 
available to the attacker and therefore validation tokens for them cannot be 
generated without solving discrete logarithm problem. 

It will also be understood by those having skill in the art that one or more 

10 (including all) of the elements/ steps of the present invention may be 

implemented using software executed on a general purpose computer system or 
networked computer systems, using special purpose hardware-based computer 
systems, or using combinations of special purpose hardware and software. 
Referring now to Fig. 2, a typical computer system 100 includes a 

15 two-dimensional graphical display (also referred to as a "screen") 102 and a 
central processing unit 104. The central processing unit 104 contains a 
microprocessor and random access memory for storing programs. A disk drive 
106 for loading programs may also be provided. A keyboard 108 having a 
plurality of keys thereon is connected to the central processing unit 104, and a 

20 pointing device such as a mouse 110 is also connected to the central processing 
unit 104. 

The present invention, as described above, provides an improved method 
for providing a tamper-proof storage of an audit trail in a database. Various 
benefits are achieved over conventional approaches. For instance, the security of 
25 the entire database is strengthened, while normal database queries are not 

hindered. Further, any actions taken against the records in the audit trail can be 
detected without involving a computationally expensive process. It also 
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accommodates the need to implement the "four eyes principle/ 7 

The above disclosure provides many different embodiments, or examples, 
for implementing different features of the invention. Specific examples of 
components, and processes are described to help clarify the invention. These are, 
5 of course, merely examples and are not intended to limit the invention from that 
described in the claims. For example, various acceptable encryption algorithms 
can be conceivably used in conjunction with various examples of the present 
invention. Similarly, hashing algorithms can also be varied by one skilled in the 
art. 

10 While the invention has been particularly shown and described with 

reference to the preferred embodiment thereof, it will be understood by those 
skilled in the art that various changes in form and detail may be made therein 
without departing from the spirit and scope of the invention, as set forth in the 
following claims. 



- 17- 



